Extended Security

Extended Security offers hardening options for administrators - to further lock down their Pyramid instance. While the system remains secure without these options, there are often requirements or scenarios where admins would like to extend the standard security apparatus already in place.

General Security

  • Delegate Kerberos: If using Windows Authentication as the method for authentication, you can optionally turn this on to continue delegating the Kerberos tickets through the system. They are only required when using Kerberos delegated authentication - currently SAP BW Logon Tickets and MS SQL Server Relational Authentication with Windows Auth. It is NOT required for MS Analysis Services Authentication. Turning this off, if not needed, will positively impact performance.
  • Network Security: this links through to the network settings page to enable encryption for internal communications between the Pyramid services. If your instance of Pyramid is installed behind a secure firewall and network, this option is mostly superfluous.Turning this off, if not needed, will positively impact performance.
  • Mobile Devices: this links to the mobile device settings page to enable mobile session timeout.
  • Multi-Factor Auth: this links to the Web Services authentication method settings page where multi-factor authentication can be turned on.
  • Password Strength: this links to the authentication provider settings where the password strength restrictions can be applied.

Note: Multi-Factor Auth and Password Strength buttons, identified above by the yellow box, will only appear if the system authentication provider is defined as "Database", i.e. using Pyramid as the authentication provider.

Client Security

These settings impact the way the HTML clients and cookies are handled and secured.

  • Use Request Harsh Security: Option to add a hash check to key client-side functions to ensure that only authorized users are performing authorized activities on relevant content. It is recommended to keep this box checked.
  • Disable CORS (Cross-origin resource sharing): Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. This capability is needed in Pyramid specifically when using the embedding capabilities. An admin can choose to Disable Cross-origin resource sharing (CORS) and prevent Pyramid from accepting requests from other domains. Note that if this option is enabled, embedding capabilities will be disabled.
    • Web Site Domains: If CORS is left enabled, then a white list of web domains should be provided that can be used for cross domain access, to prevent any degradation in client security
  • Iframe hosting: Option to disable IFrame hosting.
    • Allow: enables IFrame hosting. They are commonly used for advertisements, embedded videos, web analytics and interactive content.
    • Deny: This blocks all IFrame hosting. If IFrame hosting is blocked, IFrame embedding capabilities will be disabled.
    • Same Origin: enables IFrame hosted in the same website domain as Pyramid only
  • Same Site:SameSite stops the browser from sending cookies along with cross-site requests. The goal is to lower the risk of cross-origin information leak, and to offer some protection against cross-site forgery attacks.
    • Disable: allows cookies to be sent.
    • Lax: the cookie is sent with GET requests or top-level navigation with a safe HTTP method.
    • Strict: stops the cookie being sent by the browser to the target site in all cross-site browsing contexts, including when following a regular link.
  • Enforce SSL secure cookies and pages: choose this option to ensure all cookies are flagged for operation with SSL encrypted websites only (HTTPS). When this option is selected, the application will be blocked from operating with plain HTTP.
  • Enable JavaScript actions: Enabling this option allows users to configure JavaScript actions as defined in Discover or Present, to execute a script in the browser. This could provide a security risk. This option must be enabled to configure JavaScript actions that have been defined in Discover or Present to execute a script in the browser.
  • Cookie Timeout:Options to enforce cookie expiration with the ability to set the cookie timeout period. This ensures users must login to the application again when a cookie is marked as expired. The timeout period can be set to a period from 30 minutes to 12 months.
  • Embed Cookie Timeout: Options to enforce the embedded token to expire - only relevant if using embedded content. In this scenario, you can use the pyramid.authFailure API; you can implement the behavior of this function. For example, you may want to redirect users to the Pyramid login page or show them a message. This ensures users must login to the application again when an embedded token is marked as expired. The timeout period can be set to a period from 30 minutes to 12 months.
  • Hide query error messages from Viewer: This is a precautionary switch to hide any query related errors, and associated query details, from non-admin users.